[351] in Kerberos
[eachus@mitre-bedford.arpa: Re: Question--Exporting the DES Algorithm]
daemon@TELECOM.MIT.EDU (Bill Sommerfeld)
Thu Apr 7 18:01:38 1988
From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU
Here's yet another opinion on DES exportability.
- Bill
------- Forwarded Message
Resent-From: <security@aim.rutgers.edu>
Date: Fri, 11 Mar 88 17:55:05 EST
From: eachus@mitre-bedford.arpa
Subject: Re: Question--Exporting the DES Algorithm
Sender: security@aim.rutgers.edu
To: iconsys!bryan@uunet.uu.net
Resent-Date: Wed, 6 Apr 88 23:01 EST
Resent-To: security-list@aim.rutgers.edu
The communications on exporting the DES algorithm which have
appeared on the net recently are ALL correct. Huh? What did you just
say? Read on.
If something not subject to ITAR regulations is in the public
domain, or "widely published" in the US, any citizen has a general
license to export that information. If fact you may go overseas and
speak publicly about what you know, and that will create information
subject to license requirements, qualify it for general license, and
export it. In other words, as an American citizen, your freedom of
speech does not end at the waters' edge. (The country where you give
the speech might not like what you say, but that is a different
issue.)
However, if you have information subject to ITAR regulations (no
matter how you got it), you (or your company) can be prosecuted if you
export it without State Department approval. See the "aid and
comfort" clause in the constitution. Since some crypto information is
clearly protected this way, most company lawyers "take the easy way
out" and advise the company not to export any crypto software, without
checking to see if it falls under the ITAR rules.
(Apply standard disclaimers to what follows at least twice.) Last
time I checked the "opinion" of State was that the DES algorithm was
not subject to ITAR rules, although certain implementations (usually
in the form of chips) were protected. Note that any government
employee must be vague here, either he knows all the (classified) uses
of crypto (and where is YOUR need to know) but can't tell you, or he
doesn't know and can't be more specific. Therefore the standard
procedure is to request an opinion before exporting crypto
implementations, and if you don't get something on the order of "your
application does not currently appear to fall under ITAR rules..." you
talked to the wrong person (or you really are trying to export a 300
MIP DES chip 8^> ).
If you do ACCIDENTLY export something subject to ITAR rules, you
probably won't go to jail. In any violation, your rights to free
speech must be shown to conflict with other constitutional powers, and
the balence must tilt strongly against you before the ITAR regulations
have any standing. If you intentionally violate the ITAR regs,
however you might not have any constitutional protection.
Let me give you a realistic example. You buy a Zowie 1000
portable computer and take it with you to England. Unbeknownst to
you, the Zowie 1000 is used in a test system for Stealth Bomber ECM
equiptment. You violated the ITAR regulations, but in the normal
course of events, you won't even know it, because the DoD is unlikely
to tell the Customs people which COTS (commercial off the shelf)
equipment is used on black projects. In any case your violation was
innocent and is probably protected.
Second case, an ATE specialist on the Stealth project buys a
Zowie 1000 for personal use because he uses it at work and likes it.
He takes it (and some of his software) to England on his vacation.
Dumb, and the security folk at the plant may have a long talk with
him, but if it was innocent probably no long term repercussions. The
third case of course, is he takes it with him and sells it to a
foriegn agent for $100,000 -- and twenty years hard labor. What did
you think the ITAR regulations were for anyway?
So now you know why all the weasel words. If you take my
(knowingly incoorect) advice (or someone elses) and innocently violate
the ITAR regs, I'm guilty and you are not... "So you're going to
Berlin on your vacation? Could you do me a favor? I have this
package for my sister, but the mail takes weeks. I'll give you ten
bucks for your trouble." You are only guilty if you think he's a spy
and do it anyway... Each case is different, and an awful lot depends
on intent.
It would be nice if someone who has requested and recieved (from
the government, not from a company lawyer) a recent opinion on the DES
algorithm, would post the opinion here. If no one out in net land has
a recent opinion, someone should go ahead and request one. The most
recent opinion I have seen was two companies back, and things can
change in either direction.
Robert I. Eachus
Disclaimer: Oh boy, do I need one here. If you have any intention of
exporting anything which might be subject to ITAR rules, have your
lawyer check with the State Department and get a written opinion. If
you decide to create a test case and take it to the Supreme Court,
I'll be glad to come cheer, but if you expect me to get up and say it
was all my idea, you didn't read carefully.
Second Disclaimer: I didn't ask MITRE, MITRE's lawyers, or anyone
elses lawyers for their opinion of this message, but if I did, I'm
sure that they would waffle at least as well as I did.
------- End Forwarded Message
